INSUBCONTINENT EXCLUSIVE:
Russian cybersecurity software makerKaspersky Labshas announced it will be moving core infrastructure processes to Zurich, Switzerland, as
part of a shift announced last year to try to win back customer trust.
It also said it arranging for the process to be independently
supervised by a Switzerland-based third party qualified to conduct technical software reviews.
&By the end of 2019, Kaspersky Lab will have
established a data center in Zurich and in this facility will store and process all information for users in Europe, North America,
Singapore, Australia, Japan and South Korea, with more countries to follow,& it writes in a press release.
&Kaspersky Lab will relocate to
Zurich its ‘software build conveyer& — a set of programming tools used to assemble ready to use software out of source code
Before the end of 2018, Kaspersky Lab products and threat detection rule databases (AV databases) will start to be assembled and signed with
a digital signature in Switzerland, before being distributed to the endpoints of customers worldwide.
&The relocation will ensure that all
newly assembled software can be verified by an independent organization, and show that software builds and updates received by customers
match the source code provided for audit.&
InOctoberthe company unveiled what it dubbed a &comprehensive transparency initiative& as it
battled suspicionthat its antivirus software had been hacked or penetrated by the Russian government and used as a route for scooping up US
intelligence.
Since then Kaspersky hasclosed its Washington D.C
office— after a ban on its products for U.S
government use which was signed into law by president Trump in December.
Being a trusted global cybersecurity firm and operating core
processes out of Russia where authorities might be able to lean on your company for access has essentially become untenable as geopolitical
concern over the Kremlin online activities has spiked in recent years.
Yesterday the Dutch government became the latest public sector
customer to announce a move away from Kaspersky products (via Reuters) — saying it was doing so as a &precautionary measure&, and advising
companies operating vital services to do the same.
Responding to the Dutch government decision, Kaspersky described it as &very
disappointing&, saying its transparency initiative is &designed precisely to address any fears that people or organisations may have&.
&We
are implementing these measures first and foremost in response to the evolving, ultra-connected global landscape and the challenges the
cyber-world is currently facing,& the company adds in a detailed QA about the measures
&This is not exclusive to Kaspersky Lab, and we believe other organizations will in future also choose to adapt to these trends
Having said that, the overall aim of these measures is transparency, verified and proven, which means that anyone with concerns will now be
able to see the integrity and trustworthiness of our solutions.&
The core processes thatKaspersky will move from Russia to Switzerland over
this year and next — include customer data storage and processing (for &most regions&); and software assembly, including threat detection
updates.
As a result of the shift it says it will be setting up &hundreds& of servers in Switzerland and establishing a new data center
there, as well as drawing on facilities of a number of local data center providers.
Kaspersky is not exiting Russia entirely, though, and
products for the Russian market will continue to be developed and distributed out of Moscow.
&In Switzerland we will be creating the
‘worldwide& (ww) version of our products and AV bases
All modules for the ww-version will be compiled there
We will continue to use the current software build conveyer in Moscow for creating products and AV bases for the Russian market,& it writes,
claiming it is retaining a software build conveyor in Russia to &simplify local certification&.
Data of customers from Latin American and
Asia (with the exception of Japan, South Korea and Singapore) will also continue to be stored and processed in Russia — but Kaspersky says
the list of countries for which data will be processed and stored in Switzerland will be &further extended, adding: &The current list is an
initial one…and we are also considering the relocation of further data processing to other planned Transparency Centers, when these are
opened.&
Whether retaining a presence and infrastructure in Russia will work against Kaspersky wider efforts towin back trust globally
remains to be seen.
In the QA it claims: &There will be no difference between Switzerland and Russia in terms of data processing
In both regions we will adhere to our fundamental principle of respecting and protecting people privacy, and we will use a uniform approach
to processing users& data, with strict policies applied.&
However other pre-emptive responses in the document underline the trust challenge
it is likely to face — such as a question asking what kind of data stored in Switzerland that will be sent or available to staff in its
Moscow HQ.
On this it writes: &All data processed by Kaspersky Lab products located in regions excluding Russia, CIS, Latin America, Asian
and African countries, will be stored in Switzerland
By default only aggregated statistics data will be sent to R&D in Moscow
However, Kaspersky Lab experts from HQ and other locations around the world will be able to access data stored in the Transparency Center
Each information request will be logged and monitored by the independent Swiss-based organization.&
Clearly the robustness of the third
party oversight provisions will be essential to its Global Transparency Initiative winning trust.
We&re relocating a good part of our
critical RD infrastructure to Switzerland
A quick QA with details about Global Transparency Initiative: https://t.co/2WN1Z1p02f pic.twitter.com/6XRdZnSBTP
— Eugene Kaspersky
(@e_kaspersky) May 15, 2018
Kaspersky activity in Switzerland will be overseen by an (as yet unnamed) independent third party which the
company says will have &all access necessary to verify the trustworthiness of our products and business processes&, including: &Supervising
and logging instances of Kaspersky Lab employees accessing product meta data received through KSN [Kaspersky Security Network] and stored in
the Swiss data center;and organizing and conducting a source code review, plus other tasks aimed at assessing and verifying the
trustworthiness of its products.
Switzerland will also host one of the dedicated Transparency Centers the company said last year that it
would be opening as part of the wider program aimed at securing customer trust.
It expects the Swiss center to open this year, although the
shifting of core infrastructure processes won&t be completed until Q4 2019
(It says on account of the complexity of redesigning infrastructure that been operating for ~20 years — estimating the cost of the project
to be $12M.)
Within the Transparency Center, which Kaspersky will operate itself, the source code of its products and software updates will
be available for review by &responsible stakeholders& — from the public and private sector.
It adds that the details of review processes
— including how governments will be able to review code — are ¤tly under discussion& and will be made public&as soon as they are
available&.
And providing government review in a way that does not risk further undermining customer trust may also provide a tricky
balancing act for Kaspersky, given multi-directional geopolitical sensibilities, so the devil will be in the policy detail vis-a-vis
&trusted& partners and whether the processes it deploys can reassure all of its customers all of the time.
&Trusted partners will have
access to the company code, software updates and threat detection rules, among other things,& it writes, saying the Center will provide
these third parties with: &Access to secure software development documentation;Access to the source code of any publicly released
product;Access to threat detection rule databases;Access to the source code of cloud services responsible for receiving and storing the data
of customers based in Europe, North America, Australia, Japan, South Korea and Singapore; Access to software tools used for the creation of
a product (the build scripts), threat detection rule databases and cloud services&; along with &technical consultations on code and
technologies&.
It is still intending to open two additional centers, one in North America and one in Asia, but precise locations have not
yet been announced.
On supervision and review Kaspersky also says that it hoping to work with partners to establish an independent,
non-profit organization for the purpose of producing professional technical reviews of the trustworthiness of the security products of
multiple members — including but not limited to Kaspersky Lab itself.
Which would certainly go further to bolster trust.Though it has
nothing firm to share about this plan as yet.
&Since transparency and trust are becoming universal requirements across the cybersecurity
industry, Kaspersky Lab supports the creation of a new, non-profit organization to take on this responsibility, not just for the company,
but for other partners and members who wish to join,& it writes on this.
Next month it also hosting an online summit to discuss &the growing
need for transparency, collaboration and trust& within the cybersecurity industry.
Commenting in a statement, CEO Eugene Kaspersky,
added:&In a rapidly changing industry such as ours we have to adapt to the evolving needs of our clients, stakeholders and partners
Transparency is one such need, and that is why we&ve decided to redesign our infrastructure and move our data processing facilities to
We believe such action will become a global trend for cybersecurity, and that a policy of trust will catch on across the industry as a key
